GBPPR 'Zine 





Issue #110 / The Monthly Journal of the American Hacker / June 2013 


"Let's celebrate diversity by having the next dean NOT be Jewish." 


——— Quote from Anya Bargh, 32, a student at the University of Connecticut School of 
Law. She was arrested in April because of emails she allegedly sent in February to 
the Student Bar Association regarding the search for the new law dean. 


| can assure you, all those hook—nosed lawyers who scream about "freedom of 
speech" (or diversity) will NOT be coming to her aid! 


(abovethelaw.com/201 3/04/law—student—arrested—for—anti—semitic—racist-threatening—comments) 
(vnnforum.com/showthread.php?t=154541) 


Table of Contents 


¢ Page 2 / Centrex Data Loop and Console Control - Description & Theory /#1A ESS -— Part 1 
¢ Discussion of the Centrex data loop and remote interface system in conjunction with a #1A ESS. 


« Page 16 / Review of "The al-Qa'ida Papers - Drones" 
¢ Point—by—point overview of the newly found documents on avoiding drones. 


¢ Page 20 / GBPPR 800 MHz Cellular Phone Jammer 
@ RF jammer for the U.S. 800 MHz cellular, public safety, and trunked radio bands. 


¢ Page 35 / Bonus 
¢ DlEversity 


¢ Page 36 / The End 
¢ Editorial and rants. 


Centrex Data Loop and Console Control - Description & Theory /#1A ESS — Part 1 


BELL SYSTEM PRACTICES SECTION 231-037-000 
AT&TCo Standard Issue 2, June 1977 
CENTREX DATA LOOP AND CONSOLE CONTROL 
DESCRIPTION /THEORY 
2-WIRE NO. 1 GR NO. 1A ELECTRONIC SWITCHING SYSTEM 


CONTENTS PAGE CONTENTS PAGE 
1. GENERAL peer Seer emer ramen ner Sake 2 CONSOLE LAMP CONTROL CODE FORMATS 
18 
2. CENTREX EQUIPMENT DESCRIPTION e 4 5 
A. Lamp Control Prefix Ge cea te ae eS. 
CENTREX DATA LINK FRAME yee Sia fy 5 
B. Lamp State Code Formats ©, uy 24 
DATA LINK INTERCONNECTIONS he ose 7 
C. Lamp State Memory ..... . 21 
CENTREX CONSOLE CONTROL CABINET. 8 
D. Lamp State Changes in the LMLM . 22 
REMOTE DATA INTERFACE SYSTEM ae 8 
E. Optional Trunk Busy Memory oe 
3. CENTREX DATA LOOP AND DATA LOOP 
SIGNAL TRANSMISSION Scare ae aamey mea 1 CONSOLE KEY FORMAT & deca cee He Gate 199 
CENTREX DATA LOOP Pe ee ee ae ee MAINTENANCE ORDERS gd ee. oe Oe 
A. Data Shift Registers Sete ean ene | 7. THEORY — REMOTE DATA INTERFACE . 26 
B. Lamp Data Transmission eee eee es AUTOMATIC CALL DISTRIBUTION, PHASE 2 
C. Key Signal Transmission ers cay a lle 
AUTOMATIC CUSTOMER MESSAGE 
D. Key Scan Program i he ee a EG) OUTPUTTING SYSTEM a ar ake! tee te Ree 2B 
4. THEORY — INTRODUCTION Coe eern eae I} CUSTOMER OWNED AND MAINTAINED MIS 
EQUIPMENT Sy tee aty es Gee eae 
5. THEORY — DATA LOOP LINE SIGNAL 
TRANSMISSION sens oe Ser vee as ee See IS 8. THEORY — POWER, FUSES, AND FUSE 
ALARM: cy Sooo ks ce, He eye 228 
A. Line Signal Data Transmission er 13 
9. MAINTENANCE lata sree ee 
B. Line Signal Data Recovery eo Pa 
GENERAL & 3) a ee 28 
6. THEORY — CONSOLE LAMP CONTROL 
AND KEY SIGNALING ...... . I7 SOFTWARE TEST PROCEDURES ... . 29 
CONSOLE LAMP CONTROL 2 Bo ea AZ MANUAL TEST PROCEDURES yn je oie) ee. 
NOTICE 


Not for use or disclosure outside the 
Bell System except under written agreement 


Printed in U.S.A. Page 1 


Centrex Data Loop and Console Control - Description & Theory /#1A ESS — Part 1 


SECTION 231-037-000 


CONTENTS 


10. REFERENCES 


FIGURES 


1. Basic 2-Wire No. 1 or No. 1A ESS Centrex 
System 


2. ESS Centrex Data Link Frame 
3. ESS Centrex Console Control Cabinet 
4. Centrex-CO or PBX-CO Services Using 


Console Control Cabinet — Block Diagram 


5. Centrex Service Using Remote Data Interface 


System — Block Diagram 

6. Centrex Data Link Circuit — Overall Block 
Diagram 

7. Basic Data Transmitter — Block Diagram 


8. Transmitter Oscillator Waveforms 

9. DC Binary Signal and Resulting Line Signal 

10. Basic Data Receiver (Remote End) — Block 
Diagram 

11. Centrex Lamp Control Code Formats 


12. Loop and Miscellaneous Lamp Memory 
(LMLM) 


13. Call Indicator Lamp Memory (CILM) 

14. Optional Trunk Busy Memory (OTBM) 

15. Use of Optional Trunk Busy Memory in 
a 2B-Type or 47A-Type Console Installation 


16. Console Key Signal Bit Assignments 


Page 2 


PAGE 


29 


11 


15 


17 


17 


17 


18 


19 


23 


24 


24 


25 


26 


CONTENTS PAGE 
TABLES 
A. Centrex Console Key Codes ane aay 4 4 
1. GENERAL 


1.01 This section describes the centrex data loop, 

the console control system, and the remote 
interface system used in conjunction with the 
2-wire No. 1 or 1A Electronic Switching System 
(ESS) equipped to provide centrex-CO and PBX-CO 
service. For a general description of centrex-CO 
and PRX-CO service designed for the 2-wire No. 
1 and 1A ESS, reference should be made to Section 
966-102-100. 


Note: Effective with what would have been 
CTX-8, Issue 4, of No. 1 ESS, the equivalent 
generic program designation is 1E4. The 
correspoinding generic designation for No. 1A 
ESS is 1AE4. 


1.02 This section is reissued to include information 

concerning the remote data interface system 
and to make minor corrections. Since this reissue 
is a general revision, arrows ordinarily used to 
indicate changes have been omitted. 


1.03 This section includes the following information: 
e Theory of operation 


e The 51A-customer premises system attendant 
console 


e Remote data interface customer premises 
system 


e Centrex data link circuit overall block diagrams 
e Maintenance philosophy and procedures, 


1.04 Centrex-CO and PBX-CO service may be 
provided as follows: 


(a) With remote data interface equipment 
requiring data link hardware. 


(b) With 1B-, 2B-, 27A-, or 47A-type 51A-Customer 
Premises Systems (CPSs) attendant consoles 
that require centrex data link hardware. 





Centrex Data Loop and Console Control - Description & Theory /#1A ESS — Part 1 


(c) With 121-, 131-, and 151-type 50A-CPS 
attendant consoles that do not require centrex 
data link hardware. 


(d) Without attendant consoles (using call director, 
keyset, or simple telephone as attendant 
position). 


1.05 This section describes the centrex data loop 

and console control system operation when 
providing centrex-CO and PBX-CO service with 
the 1B-, 2B-, 27A-, and 47A-type consoles or with 
remote data interface system equipment. 


1.06 The operation of the centrex data loop and 
console control system for centrex-CO and 
PBX-CO service is basically the same. The primary 
difference is the modification of centrex-CO 
translations to simulate PBX-CO service. 


Note: For convenience of reference in this 
document, centrex-CO and PBX-CO customer 
service is referred to as centrex service. 


1.07. This centrex service utilizes the data handling 

capabilities and switching facilities of a 
2-wire No. 1 or 1A ESS central office. All centrex 
operations are under the control of the central 
control (CC) or the signal processor (SP) in the 
ESS office to which the customer group is connected. 


1.08 In order to control the lamp states and to 

receive key signals from the remote centrex 
attendant consoles, a data loop and a console control 
system are employed. Figure 1 is a block diagram 
of a typical centrex customer group. The centrex 
data loop connects the attendant telephone consoles 
at the customer premises with the 2-wire No. 1 
or 1A ESS central office. This loop is a peripheral 
unit which provides 2-way data communications 
between the central office and the attendant consoles. 
Lamp data is transmitted by means of this loop 
to the attendant consoles in order to control the 
states of lamps on the consoles. The console 
lamps indicate service requests or other supervisory 
signals to the attendant. Key signals from the 
attendant consoles are also transmitted to the 
central office by the data loop. These key signals 
are interpreted at the ESS central office as requests 
for specific actions at the central office. Only 
one console is shown although as many as four 
may be controlled by a single data loop and console 
control system. 


ISS 2, SECTION 231-037-000 


1.09 In order to provide data for use by a 

management information system (MIS) or 
other peripheral equipment (CRT, printer, etc) at 
the customer premises, a remote data interface 
system is installed on the customer premises to 
provide the necessary interface functions. 


1.10 The central office end of a centrex data loop 
terminates in a centrex data link circuit 
mounted on a centrex data link frame in the ESS 
central office. The data link is a peripheral unit 
which provides the interface between the data loop 
and the ESS central office control equipment. 


1.11. The remote end of the data loop terminates 

in a console control circuit contained in the 
51A-CPS centrex console control cabinet or in a 
remote data interface system at the customer 
location. The console control circuit provides the 
interface between the data loop and the attendant 
consoles. The remote data interface provides the 
interface between the data loop and a management 
information system or other peripheral equipment. 


1.12 Listed below are the abbreviations used in 
this section: 


ACD Automatic call distribution 

ACMOS Automatic customer outputting 
system 

BPS Bits per second 

cc Central Control 

CCC Console control cabinet 

CILM Call indicator lamp memory 

CPD Central pulse distributor 

CPS Customer premises system 

CXDxX Centrex data link and console 
demand exercise 

ENST Enable-start 

ESS Electronic switching system 

KSP Key signal present 


Page 3 


Centrex Data Loop and Console Control - Description & Theory /#1A ESS — Part 1 





SECTION 231-037-000 





MIS 
OR OTHER 
EQUIPMENT 





REMOTE 
CATA 
INTERFACE 








DATA LOOP 































CENTREX 


























NO. | OR NO, IA 






























































ESS CENTRAL 
DATA LOOP BALE IMS PROCESSOR 
CENTREX 
CONSOLE 
CONTROL e 
1 
Corey (TWO PAIRS) 
ATTENDANT CONSOLE 
ATTENDANT 
TRUNK CIRCUIT 
(TALKING PATH) 
SUBSCRIBER 
LINES 
ATND 
|_| TRUNK 
1] too 
' 
Lo circuits 
[| Te 
TRUNKS 
AND 
FOREIGN 
+e |} EXCHANGE 
TRUNKS 
TO OTHER 
SWITCHING = 
SYSTEMS 
CENTREX STATIONS 
LINE TRUNK 
LINK LINK 
NETWORK NETWORK 


CUSTOMER 
PREMISES 








INTERCONNECTING 


CENTREX CUSTOMER GROUP ae LINES 


Fig. 1—Basic 2-Wire No. 1 or No. 


Page 4 





NON~CENTREX 


SUBSCRIBER 


ESS SWITCHING 
FRAMES 


2-WIRE NO. | ESS CENTRAL OFFICE 


1A ESS Centrex System 


LMLM Loop and miscellaneous lamp 
memory 

LSP Lamp signal present 

MIS Management information system 

MS Mark-space 

OTBM Optional trunk busy memory 

RDI Remote data interface 

SP Signal processor 

TBM Trunk busy memory 

TTY Teletypewriter. 


2. CENTREX EQUIPMENT DESCRIPTION 


2.01 In addition to attendant consoles and station 

telephones, two other specialized equipment 
units are required for centrex operation. These 
are the centrex data link frame (Fig. 2), located 
in the ESS central office, and a centrex console 
control cabinet (Fig. 3), or remote data interface 
system, located at the customer’s premises. The 
centrex data link frame provides the interface 
between the ESS central office equipment and the 
data loop. The centrex console control cabinet 
(CCC) or remote data interface (RDI) provides the 
interface between the consoles or other equipment 
and the data loop. 


CENTREX DATA LINK FRAME 


2.02 A centrex data link frame (Fig. 2) is a 

standard 7-foot frame which can house a 
maximum of eight data links and the associated 
common equipment. The frame may be partially 
equipped, but link 0 must always be installed. 
There is a maximum of four frames per office 
through generic program CTX-8, Issue 3. Beginning 
with generic program 1E4 (1AE4), an office may 
have a maximum of eight data link frames. 


2.03 The common equipment includes facilities 

for reading peripheral bus information and 
facilities for receiving enable signals from the 
central pulse distributors (CPDs). The common 
circuitry also includes the data link address bus 
and the dynamic buffer registers. 


Centrex Data Loop and Console Control - Description & Theory /#1A ESS - Part 1 





ISS 2, SECTION 231-037-000 


COMMON 
EQUIPMENT 


DATA LINK O 


DATA LINK | 


DATA LINK 2 


DATA LINK 3 


DATA LINK 4 


DATA LINKS 


DATA LINK 6 


DATA LINK 7 


FUSE PANEL 


FILTER 
PANEL 
(IN BASE) 





Fig. 2—ESS Centrex Data Link Frame 


2.04 Tach data link circuit contains a data link 

controller and a scanner buffer circuit in 
addition to the data transmitter, receiver, and shift 
register. 


2.05 The data link controller accepts the enable 
signals from the common equipment and 


Page 5 


Centrex Data Loop and Console Control - Description & Theory /#1A ESS - Part 1 





SECTION 231-037-000 


CONNECTING BLOCKS 





SLIDE 2 


CENTREX CONSOLE 
CONTROL UNIT 


OR 
TRUNK BUSY 
MEMORY bod 3 


LAMP MULTIPLE UNIT 
(CONTROL POSITION I) 


CENTREX CONSOLE 
CONTROL UNIT 
(CONTROL POSITION 0} 


COMMON 
EQUIPMENT UNIT 
WITH RELAY UNT 


POWER SUPPLY | POWER SUPPLY 2 


Fig. 3—ESS Centrex Console Control Cabinet 


Page 6 


Centrex Data Loop and Console Control - Description & Theory /#1A ESS — Part 1 


selects the peripheral bus containing the desired 
data. The controller also provides timing functions 
and sequencing of events necessary to initiate the 
reading of the peripheral bus data and to transmit 
the received data word. 


2.06 The scanner buffer circuit contains buffer 
circuits necessary to supply the current to 
drive scan points. 


2.07 Each data link also contains a bit counter 
used to determine the end of transmission 
by counting the number of bits transmitted. 


2.08 A centrex data link circuit performs the 
following functions: 


(a) Accepts and temporarily stores a 24-bit word 
from either of the two peripheral buses 


(b) Converts this stored word into a sequence 
of mark and space signals and transmits 
them to the line in serial form 


(c) Generates the line-signal intelligence by a 
frequency-shift method of signaling 


(d) Simultaneously transmits and receives data 
at a rate of 1400 bits per second (BPS) and 
temporarily stores the received information in 
the same location (data shift register) that 
previously contained the transmitted word 


(e) Initiates data transmission when requested 
by either the central office or the remotely 
located centrex equipment. 


DATA LINK INTERCONNECTIONS 


2.09 Each centrex data link frame is equipped 

with scan points, signal distributor points, 
duplicated CPD points, and connections to the 
duplicated peripheral unit bus. 


Central Pulse Distributor Points 


2.10 Each centrex data link frame is provided 

with two duplicated CPD points per data 
link. A CPD point is assigned to gate data into 
the shift register from each peripheral unit bus. 
This permits a choice of either bus and either 
CPD; therefore, four different routes are available 
to load the shift register. The other CPD point 
causes the data link to go into the transmit mode. 


ISS 2, SECTION 231-037-000 


A special reverse sequence of these points is also 
used to place the link in a test mode in which the 
shift register can be shifted one step at a time on 
command. : 


Signal Distributor Point 


2.11 One signal distributor point is assigned per 
data link to provide a maintenance function. 
This point is a part of the data loop transfer circuit 
(Fig. 4). It is used to switch the data loop from 
a normal loop to a local loop condition te aid in 
isolating troubles in the data loop circuitry. 


Supervisory Scan Points 


2.12 One supervisory scan point is assigned per 

data link frame as a common fuse alarm. 
This is a supervisory scan point scanned at a 
100-millisecond rate. If a data link or the common 
equipment on a data link frame should develop a 
power failure due to a blown fuse, this supervisory 
scan point is energized, and an indication is displayed 
on the ESS master control center alarm, display, 
and control panel. 


2.13 The data link frame is also equipped with 
an alarm retire key which has an associated 
supervisory scan point. 


2.14 A set of scan points (one per data link) is 

employed to indicate that a valid data loop 
is present (that is, a 700-cycle tone is present in 
both directions). 


Directed Scan Points 


2.15 Two 16-point information scan rows are 

assigned per data link to provide access to 
the centrex data unit shift register. These scan 
points are assigned in adjacent rows. Twenty-six 
of the scan points are delegated to read the contents 
of the shift register; four are assigned to indicate 
the state of the console for maintenance and 
checking purposes; and two are spares. These 
scan points are scanned whenever the key signal 
present (KSP) fast scan point indicates the presence 
of data. The information row scan point assignment 
has been arranged so that the data link can grow 
smoothly from a 1-console to a 4-console installation. 


Page 7 


Centrex Data Loop and Console Control - Description & Theory /#1A ESS —- Part 1 


SECTION 231-037-000 


Fast Supervisory Scan Points 


2.16 Each centrex data link is equipped with a 

KSP scan point. This is a supervisory scan 
point which is saturated when a key signal is 
received from an attendant console at a remote 
customer location. Before any lamp data is 
transmitted from the central office to the remote 
location, this scan point is examined to determine 
whether or not there is a key signal or interrogate 
word stored in the data register. If one is present, 
lamp data transmission is delayed until the key 
signal has been read out. Entire scanner rows of 
16 scan points are assigned for the exclusive use 
of the KSP function. Unused scan points in these 
rows will not be used for other purposes. If there 
are more than eight data links in a central office, 
the additional scanner rows need not be on adjacent 
rows in the scanner. 


CENTREX CONSOLE CONTROL CABINET 


2.17. Each centrex customer with 1B, 2B-, 27A-, 
or 47A-type attendant consoles is provided 
with a centrex console control cabinet (Fig. 3). 
This cabinet provides the interface between the 
data loop and the attendant consoles. One console 
control cabinet is capable of controlling a maximum 
of four of the small (1B- or 27A-type) attendant 
telephone consoles. For large (2B- or 47A-type) 
attendant console installations, the first such cabinet 
can be equipped to handle three large consoles 
and one trunk busy memory (TBM) unit. Additional 
cabinets belonging to the same customer group 
can be equipped to handle four large consoles. 


2.18 A centrex console control cabinet may be 

shared by different centrex customer groups 
under the restrictions covered in Section 966-102-100. 
2.19 This centrex console control cabinet contains 

equipment common to all consoles controlled 
by the cabinet and equipment added on a per 
console basis. 

COMMON EQUIPMENT 

Common control equipment 

Power supply (one per slide) 

Trunk busy memory unit (for 2B- or 47A-type 


consoles and position no. 1, first cabinet 
only) 


Page 8 


Lamp multiplying circuit (in position no. 1, 
ninth cabinet only) 


ADDED EQUIPMENT PER CONSOLE 
Console control unit 


2.20 The console control cabinet provides the 
following functions: 


(a 


Encodes attendant console key signals 


(b) Transmits key signals as data to the central 
office 


(c) Receives lamp data from the central office 


(d 


Decodes lamp data received from the central 
office 


(e) Provides timing 


(f) Furnishes local power 


LS 


(g) Provides the lamp interrupter circuitry 


(h 


Contains the lamp memories 


(i) Contains a pulser circuit for controlling 
ferreeds in the lamp memories 


(j) Receives and decodes special non-lamp-order 
words for interrogate and diagnostic purposes. 


REMOTE DATA INTERFACE SYSTEM 


2.21. Each centrex customer with an MIS, ACD 
phase 2, ACMOS, or similar customer 
premises terminal equipment requires an interface 
with the ESS and is provided with a remote data 
interface (RDI) system designed for the specific 
terminal equipment (Fig. 5). The RDI is available 
beginning with generic program 1E4 (1AE4). 


2.22 The RDI system is composed of a combination 
of the following types of equipment: 


Modulator-demodulator 


Interface equipment 


Programmable controller 


~~ 
~ 
S 
oO 
I 
op) 
Y) 
W 
<x 
~ 
+5 
SS 
= 
1) 
= 
~~ 
08 
i= 
= 
=) 
g 
x 
1S) 
g 
Q 
I 
rs) 
= 
S 
O 
2 
io) 
7) 
S 
© 
x) 
‘= 
© 
5) 
.o) 
~! 
3 
Q 
*< 
ic) 
os 
5 
O 





TO 


bes 














LINE 
LINK 
NETWORK 





TRUNK 
LINK 
NETWORK 




















CENTRAL 
CONTROL 


PERIPH UN BUS 


CENTRAL 
PULSE 
DISTRIBUTOR 





CABLE RECEIVER AND 





BUFFER REGISTER 


CENTREX DATA LINK FRAME 


TO CENTREX 
OPERATOR 
VIA 
TRANSMISSION 
FACILITIES 














TO MAXIMUM 
OF 7 OTHER 
DATA LINKS 

(SAME FRAME ) 


DATA LINK 
CONTROLLER 


























SIGNAL 
DISTRIBUTOR 

















CENTREX CONSOLE CONTROL CABINET 


















































—> RCVR 
CONSOLE 
CONTROL 
-—_—— 3 
TEL CONSOLE 3 
g 
ao an oe «| 
<a a °° TEL CONSOLE 2 
° a a 
aii “6 za 
a ¢ 
oa 5g Bite 
Sz Fo 
rs) ea rs) -—_——| 
Ee TEL CONSOLE | 
—> 
























































b 
4 
& 
« 
wi 
3 
a 

z 
a g 
go FE 
ag a 
= 8 
=] 
< 
= 
a 

RCVR he} 

y 

MASTER 

SCANNER 




















1B-,2B-,27A, OR 47A 
TYPE TELEPHONE CONSOL 








Fig. 4—Centrex-CO or PBX-CO Services Using Cons¢ 
Control Cabinet—Block Diagram 


10 


11 

















YOLNEIYLSIC 
TWNOIS 








1 

















MLWYL a t i +> YADN 





























8 Ze g HOLNAIdLSIq 
3 = Zo asiind 
2 Ro rc 2 Tim WHLN39 
rs) 29 ° Be 
2 » Zz 8 2 os ie 
Sie ge me v balay Sa Dn 
ed re Se ee ee ae 2.0 
Cz ax am [*74 2 OF ° am 
C a a 4 ee 
s le 3 2 m4 rs QE 
g 2 pas] & 2 mz om 
i] Ore fl Pa AD 
4 R< m io 
4 D bas 
2 So 
le | —— & 



































SN@ NN Hdldad 








TONLNOD 
Wana. 





(aWV44 3NVS ) 
SMNIT Viva 
YBHLO 2 40 
WOWIXVW OL 









































' TONLNOD ATOSNOD X3Y¥LNI9 SWV44 NIT Vivd X3YLN39 





[—— | SNOILvLS 
YaWOLSND 
OL SANIT 


S3iLioW4 






































NOISSIWSNVYL YYOMLIN | XYOMLIN 
VIA NIT NIT 
Sania oi >NNYL aNni7 
BWVu4 UNTYL OSIN 
iW3Yd YSWOLSND : BOIAYSS XSYLNID HLIM GSONVYEYNV 391440 SS3 VI YO 1'ON 3YIM-2 


b al 
She 
S} 
oO 
W 
Uv) 
W 
x 
b al 
=S 
= 
S 
2 
- 
CB 
c 
2 
— 
2 
x 
S 
g 
Q 
I 
rr) 
= 
S 
O 
2 
3 
7) 
S 
O 
xs) 
= 
8 
° 
3 
4 
& 
Q 
e 
@ 
= 
3 
O 





Centrex Data Loop and Console Control - Description & Theory /#1A ESS — Part 1 


2-WIRE NO. 1 OR 
1A ESS CENTREX 
CENTRAL OFFICE 





DATA LOOP 





MODULATOR- 
DEMODULATOR 
MODULATOR- 
DEMODULATOR 









—$—— dy 


REMOTE DATA INTERFACE 


ISS 2, SECTION 231-037-000 


CUSTOMER PREMISES 


AGENT CONSOLES 
SUPRV. CONSOLES 


CRT DISPLAY 





CALLS WAITING INDICATOR 


TAPE 
DISC 
CRT 


PRINTER 


Fig. 5—Centrex Service Using Remote Data Interface System—Block Diagram 


Buffer-multiplexer. 


3. CENTREX DATA LOOP AND DATA LOOP SIGNAL 
TRANSMISSION 


CENTREX DATA LOOP 


3.01 Console lamp state changes and key signals 

are transmitted as data between the customer 
location and the central office by means of the 
data loop. Figure 4, a block diagram of centrex 
service, illustrates this data loop. 


3.02 The centrex data loop consists of two separate 

2-wire unidirectional data links. These data 
links are interconnected at the central office end 
and at the customer end by means of transmitting 
and receiving circuitry in such a way that the two 
links form a complete loop. 


3.03 Lamp data used to control the states of the 
lamps on the consoles is transmitted from 
the central office to the attendant consoles, and 


key signal data is transmitted from the customer 
location to the central office by means of this data 
loop. Voice frequencies are used for transmission. 
A synchronous form of transmission is employed; 
therefore, the receiving end of a data loop is always 
in synchronism with the transmitting end. 


3.04 Data is transmitted serially in the form of 

a 26-bit data word which contains 24 
information bits plus a leading 1 and a control bit. 
The leading 1 is used to indicate to the data 
receiver circuit at the remote end of the data loop 
that transmission has started. 


A. Data Shift Registers 
3.05 A 26-bit shift register is located at both 
the central office end and the customer end 


of the data loop. These shift registers provide 
the means for parallel-to-serial and serial-to-parallel 


Page 11 





12 


Centrex Data Loop and Console Control - Description & Theory /#1A ESS — Part 1 


SECTION 231-037-000 


conversion of the transmitted and the received 
data. 


3.06 The data shift register located at the central 

office end of a data loop accepts the 24 bits 
of data from the peripheral unit bus and temporarily 
stores it before the data is transmitted as lamp 
data to the remote end of the data loop. In 
addition, this register is also used to receive and 
temporarily store key signal data originating from 
the remote end. The CC (or SP) at the central 
office can read out the contents of this register 
via scan points when key signal data is received. 


3.07. The data shift register located at the customer 

end of the data loop accepts and temporarily 
stores 24 bits of data originating from keys being 
depressed on the console. (This data is transmitted 
as key signal data to the central office end of the 
data loop.) In addition, this register receives and 
temporarily stores the lamp data which is used 
for controlling the console lamps transmitted from 
the central office end. 


3.08 Transmission on the data loop is controlled 

by the circuitry located in the central office. 
However, a request to transmit the contents of a 
register may be initiated by either the CC (or the 
SP) at the central office or by the attendant console 
circuitry at the customer’s premises. 


3.09 When a data loop is in an idle state (that 

is, no data is being transmitted in either 
direction), spaces (binary Os) are, in effect, being 
transmitted continuously in both directions. Upon 
receiving a request to transmit, the transmitting 
circuitry at the central office applies the contents 
of the shift register to the line in serial form. 
The first pulse transmitted is always a mark (a 
binary 1). The receipt of an initial mark changes 
the state of the receiver at the remote end from 
idle to active and causes the receiving shift register 
to shift in synchronism with the received line signal. 


3.10 When either the CC or the console circuitry 

requests transmission of a data word, the 
two registers interchange their contents. Since 
normally only one of these registers contains any 
information when a data transmission occurs, a 
blank word containing all 0s (spaces) is usually 
transmitted in one direction. If the central office 
end of the loop requests to transmit, the register 
at the remote end usually transmits all 0s. If the 
remote end of the loop requests to transmit, the 


Page 12 


register at the central office end of the loop usually 
transmits all Os. In some instances, however, both 
registers will contain information. Data is 
transmitted at a rate of 1400 BPS in either direction. 


B. Lamp Data Transmission 


3.11 Service requests and other supervisory signals 
are sent as lamp data from the ESS central 
office to the customer location by means of the 
cata loop. Lamp data is sent from the CC (SP) 
over the peripheral bus to the common control 
equipment in a centrex data link frame. The 
common control equipment selects the proper lamp 
data transmitter, which is enabled by the CPD. 
From here, the data is loaded into a register and 
transmitted serially as binary coded signals by 
means of a data link to a data receiver at the 
centrex customer location. The lamp control circuit 
decodes the message and stores it in a lamp state 
memory unit. The lamp state memory then operates 
the selected console lamps to the desired state. 


C. Key Signal Transmission 


3.12 Key signals are generated when an attendant 

operates a console key. These signals are 
encoded by an associated key signal translator in 
the console control cabinet at the customer’s 
premises. The encoded data is inserted into the 
local shift register as a binary number when the 
register is found to be empty. From there this 
data is transmitted in serial form to the ESS central 
office where it is received by a receiver. The 
receiver stores the data in the data shift register. 
The contents of the register are read out by means 
of the key scan program which is entered from 
the CC executive control program at regular 
interrupt intervals. 


D. Key Scan Program 


3.13 A key scan program scans the centrex data 

units at the centra! office for the presence 
of key signals received from the remote attendant 
consoles. When a key signal is received by the 
data unit, a KSP scan point is saturated. The key 
scan program then generates a hopper entry 
containing the key signal. After the key signals 
have been read, this same program sends any 
lamp data that has been awaiting transmission back 
to the console location. The centrex key scan 
program is entered from the executive control 
program on an interrupt basis. 





13 


3.14 Several scan points are provided to inform 

the system about the state of the data link 
circuit—that is, whether or not the data link circuit 
is in the process of transmitting or receiving data 
and/or whether or not there is any information 
present in its register waiting to be read by the 
CC. These scan points must be checked before 
lamp data is loaded into the register for transmission 
to the remote end of the data loop. 


3.15 The centrex key scan function can be 

performed either by a CC or by an SP 
program (whichever is used for input-output 
functions). 


4. THEORY — INTRODUCTION 


4.01 The purpose of the centrex data link circuit 
is to: 


(a) Accept and record 24 bits from either cf 
the two peripheral buses 


(b) Provide the means for converting this parallel 
word into a sequence of mark and space 
signals transmitted to the line in serial form 


(c) Generate and construct the proper line signal 
intelligence in accordance with a predetermined 
frequency—shift method of signaling 


(d) Provide means for simultaneously transmitting 

and receiving data at a rate of 1400 BPS 
and recording the received information in the 
same location that previously contained the 
transmitted word 


(e) Provide the means for initiating transmission 
placed as a request by either the ESS or 
remotely located data receiving circuitry 


(f) Provide means for detecting the absence of 
signals on the incoming line 


(g) Provide means, for diagnostic purposes, to 
advance the shift register and counter in 
single steps. 


4.02 The centrex data link sub-unit blocks shown 

in Fig. 6 indicate both common circuitry 
and circuitry needed for each data link which is 
mounted in the same bay. The common circuitry 
provides facilities for reading peripheral bus 
information and includes pulse stretching or dynamic 


Centrex Data Loop and Console Control - Description & Theory /#1A ESS — Part 1 


ISS 2, SECTION 231-037-000 


buffer register circuitry. This circuitry will serve 
as a temporary memory for all bits received over 
the peripheral bus circuit. The circuit is duplicated 
in that each peripheral bus is connected to two 
identical halves containing receivers and register 
circuits. The common circuitry also contains facilities 
for receiving and amplifying enable signals. 
Provisions are made for accepting two enable signals 
for each data link and an additional enable-start 
(ENST) signal. 


5. THEORY — DATA LOOP LINE SIGNAL TRANSMISSION 


5.01 When key signals or lamp data is to be 

transmitted via a data loop, it must be 
converted into audio-frequency signals and must 
be applied to the transmission facility. Basically, 
the method of generating and receiving the line 
signal is the same for both directions. The data 
to be transmitted is temporarily stored in the shift 
register at the transmitting end of the data loop 
prior to transmission. The contents of the shift 
register are then read out serially and are converted 
into audio frequencies for transmission to the 
opposite end of the data loop. A synchronous form 
of transmission is employed whereby the receiving 
circuitry operates in synchronism with the 
transmitting circuitry. 


A. Line Signal Data Transmission 


5.02 The data loop line signal is constructed by 

a discontinuous frequency-shift keying method 
(Fig. 7). The line signal is generated by switching 
between two oscillators, one operating at 700 Hz 
and the other operating at 2100 Hz. 


5.03 Tone Gate: Switching between the two 

oscillators is accomplished by the use of a 
tone gate. The tone gate applies the output of 
either of the two oscillators to the line, depending 
on the contents of the shift register. When the 
first bit in the shift register is a 1 (mark), the 
tone gate applies the output of the 2100-Hz oscillator 
to the line. When the first bit is a 0 (space), the 
tone gate applies the output of the 700-Hz oscillator 
to the line. Each of the succeeding bits causes 
the output of either the 700-Hz or 2100-Hz oscillator 
to be applied to the line in a similar manner. 


5.04 Oscillator Buffer Circuit: The oscillator 


buffer circuit isolates the oscillator from 
the tone gate. 


Page 13 





14 


Centrex Data Loop and Console Control - Description & Theory /#1A ESS — Part 1 


SECTION 231-037-000 


5.05 Zero-Crossing Synchronizing Generator: 

This circuit is used to ensure that the shifting 
of the register is synchronized with the phase of 
the audio signal oscillators. Each zero crossing of 
the 700-Hz signal occurs at the same time and has 
the same polarity slope as the 2100-Hz signal. This 
is accomplished by stopping both oscillators 
momentarily and restarting them again in proper 
phase relation. This phase-correcting function is 
performed by the zero-crossing synchronizing 
generator. Figure 8 illustrates the output of the 
two oscillators and the points at which they are 
stopped and restarted in phase. 


5.06 Oscillator: The basic source of the line 

signal is a pair of oscillators which are 
fundamentally identical. Mutual coupling insures 
that a reasonable degree of frequency tracking 
exists. Signal amplification and synchronizing pulses 
are generated by circuit packs SYNC-0 and OBC-0. 
These two circuit packs provide for the necessary 
signal gain as well as timing and synchronizing 
pulses. 


5.07 Figure 9 illustrates a de binary signal applied 

to a tone gate and the resulting line signal 
which is transmitted. (Only a few of the bits are 
shown in this illustration.) A binary 0, or space 
signal, is represented by a half cycle of the 700-Hz 
signal. A binary 1, or mark signal, is represented 
by three half cycles of the 2100-Hz signal. The 
presence of a mark will, therefore, cause a phase 
reversal during the center of a bit interval as 
opposed to the presence of a space. 


5.08 When key data or lamp data is not being 

transmitted, the data loop idles with a steady 
700-Hz tone applied to the line. This tone is 
equivalent to a continuous stream of spaces. The 
steady idling tone keeps the receiver circuit at 
the receiving end of a data loop in synchronism 
with the transmitter. This continuous idling tone 
also serves as a guard against impulse noise on 
the line causing false starts of the shift registers 
at the receiving end of the data loop. 


B. Line Signal Data Recovery 


5.09 Data recovery from the line signal is 

accomplished by sampling the received signal 
at the center of each bit interval. A phase reversal 
during the center of a bit interval caused by the 
presence of the 2100-Hz signal is interpreted by 
the receiving equipment as a mark. 


Page 14 


5.10 The data receivers (Fig. 4) at both ends of 

the data loop are in either an idle or an 
active mode similar to the transmitters. The 
receivers must be switched to the active state prior 
to the reception of the data. The data receiver 
circuit at the central office end of the data loop 
is switched from an idle to an active mode as the 
associated transmitter changes from idle to active. 
The data receiver at the remote end is switched 
from an idle to an active mode by the receipt of 
the initial mark. 


5.11 After switching to an active mode, the shift 

registers shift in synchronization with the 
transmit signal. This is because the last cell of 
the shift register is the bit being transmitted at 
any instant. The receivers interpret each bit slot 
as data and temporarily store the received data in 
an MS flip-flop, from which it is gated into the 
shift register in proper phase relationship to the 
shift pulses. 


5.12. The oscillators in each data receiver are 

kept in synchronism and in phase with the 
incoming line signal by line-to-oscillator signal 
coupling. This permits synchronizing pulses and 
sampling pulses to be generated at the receiver. 
The synchronizing pulses are used to accurately 
adjust the phase of the receive oscillators. At 
the remote end these pulses also provide the shift 
function. These closely locked oscillator pairs also 
generate the sampling pulses used in sampling the 
center of each bit interval. 


5.13 The central office end of a centrex data loop 

is equipped with one pair of oscillators for 
transmission and another pair for data recovery, 
whereas the remote end of a data loop is equipped 
with only one set of oscillators which performs 
both transmitting and receiving functions. 


5.14 Figure 10 is a block diagram of a simplified 

data receiver. The tone gate which ensures 
that data is transmitted in synchronism with the 
received data is included. 


5.15 The line amplifier in the data receiver 

amplifies the received line signal and provides 
the coupling to synchronize the 700-Hz oscillator 
signal with the line signal. 


5.16 The oscillator buffer circuit amplifies the 
two local oscillator signals and furnishes the 
sampling pulses for the line signal sampler. 





15 


Review of "The al-Qa'ida Papers - Drones” 


Overview 


Recently, The Associated Press found several documents in buildings occupied by alleged 
al-Qa'ida fighters in Timbuktu, Mali. These papers have since been publically released on the AP's 
website in the original Arabic and a translation in English. One of the released documents was 
entitled "The al-Qa'ida Papers — Drones," and appears to give several different tips on how to avoid 
detection by overhead unmanned military drones. It was written by Abdullah bin Mohammed on 
June 17, 2011. 


Below will be a copy of the original English translation text, along with some notes and comments 
on if these methods could actually be effective. 


Tactics 


1.) It is possible to know the intention and the mission of the drone by using the 
Russian-made "sky grabber" device to infiltrate the drone's waves and the frequencies. The 
device is available in the market for $2,595 and the one who operates it should be a 
computer know-how. 


SkyGrabber is an "offline" satellite downloader. It can intercept satellite traffic (video, movies, 
music, pictures, data, etc.) that is being sent by other satellite users/obroadcasters and records the 
raw information to your hard drive. It does require compatible DVB satellite receiving hardware, a 
low-noise block converter, and a parabolic dish antenna. Metadata embedded within the raw 
MPEG video streams often provides important operational details, including the drone's GPS 
coordinates. Predators, and other military drones, often use commerical SATCOM satellites for the 
video/data feeds when operating in non—Line-of-Sight (LOS) modes. An external frequency 
tranverter will need to be used to intercept any video/data on the drone's C-band LOS links. This is 
to convert the 5.2 — 5.9 GHz range down to the satellite receiver's IF (950 — 1750 MHz) range. 


2.) Using devices that broadcast frequencies or pack of frequencies to disconnect the 
contacts and confuse the frequencies used to control the drone. The Mujahideen have had 
successful experiments using the Russian—made Racal. 


You'd need to jam the Ku-band receiver on either the drone itself (10.95 — 12.75 GHz) or the 
orbiting satellite (13.75 — 14.50 GHz). This is theoretically doable, but would require a fair amount 
of RF jamming power and a steerable parabolic dish — and you'd probably need to be above the 
operating drone! Racal is a British defense contractor who makes high-quality military radios. 


3.) Spreading the reflective pieces of glass on a car or on the roof of the building. 


No! This would actually make it easier for an orbiting drone to follow you, not to mention being a 
great reflector for the laser designator used for laser-guided bombs and Hellfire missiles. 


4.) Placing a group of skilled snipers to hunt the drone, especially the reconnaissance ones 
because they fly low, about six kilometers or less. 


Easier said than done... Shooting a drone that you can't see, can't hear, and is flying at over 15,000 


feet while 5 miles out isn't something you can do without alot of luck — and a fire control 
radar. Maybe when it's taking off or landing, but getting that close to a military base isn't easy. 


16 


5.) Jamming of and confusing of electronic communication using the ordinary water-lifting 
dynamo fitted with a 30-meter copper pole. 


Not sure what this means, but it doesn't sound like it would work. 


6.) Jamming of and confusing of electronic communication using old equipment and 
keeping them 24-hour running because of their strong frequencies and it is possible using 
simple ideas of deception of equipment to attract the electronic waves devices similar to that 
used by the Yugoslav army when they used the microwave (oven) in attracting and 
confusing the NATO missiles fitted with electromagnetic searching devices. 


You'd need to use real RF noise jammers at the drone's Ku-band, C-band, L1 & L2 GPS, and IFF 
frequencies. BTW, your jamming gear will make nice targets for anti-radiation weapons and 
direction finding gear, so make sure it's set up to not give away your location. 


I'm not sure if the NATO/microwave oven legend is true or not. A microwave oven's emissions 
could possibly look like a 2.45 GHz CW illumination radar to some anti-radiation missiles. 


7.) Using general confusion methods and not to use permanent headquarters. 
Could possibly work... No central location makes it theoretically harder to track you down — but it 
will also make it harder to operate and secure as you're always on the move and would need to plan 


everything out ahead of time. 


8.) Discovering the presence of a drone through well-placed reconnaissance networks and 
to warn all the formations to halt any movement in the area. 


Could possibly work... It's really difficult to spot orbiting drones via your "eyes and ears." Portable 
radar sites based on salvaged and hacked marine radars (S- and X-bands) and 
interferometer—type surveillance gear to "listen" for the drones propeller could possibly work. 
Detecting the drone's active RF emissions may also be possible. The fairly high-power Ku-band 
SATCOM uplinks may be detectable on the ground via tropospheric scatter, depending on the 
weather conditions. 

9.) To hide from being directly or indirectly spotted, especially at night. 

No! When using thermal imaging devices, moving at night would actually make you stand out even 
more! To counter thermal imaging systems, it's best to move around during dawn or dusk, when the 
general background thermal contrasts are changing — or when it's raining. It would also be best to 
move during the daytime and within a large group of (similar) people. 

10.) To hide under thick trees because they are the best cover against the planes. 


Possible, but thermal imaging devices will still find you under cover. Remember that the drones can 
loiter over the same area for 12+ hours, and you'd have to move sooner or later. 


11.) To stay in places unlit by the sun such as the shadows of the buildings or the trees. 


Again, this won't to anything if thermal imaging devices are being used, and purposely moving 
around in the shadows would probably make you look even more suspicious to the drone operator. 


17 


12.) Maintain complete silence of all wireless contacts. 


True. Any radio/optical/acoustic communication system can be intercepted and "direction 
found." But if do need to communicate, use fast frequency—hopping, or other type of spread 
spectrum system, operating at the microwave frequencies and with strong encryption to minimize 
interception. 60 GHz microwave links are also naturally attenuated by the 

atmosphere. Laser—based communication systems can be very secure for point-to-point 
operations, but are difficult to aim. 


You can mask general VHF/UHF radio traffic by transmitting on a frequency which is close to the 
video/audio carrier of a high-power FM or TV broadcast station. This is to help hide (Somewhat) 
your lower power transmission within the higher power transmission. This is an old trick which 
everyone knows, though... 


13.) Disembark of vehicles and keep away from them especially when being chased or 
during combat. 


Yeah, just before the vehicle explodes you should probably get out and run! 
14.) To deceive the drone by entering places of multiple entrances and exits. 


Drones can loiter in the same general area at an altitude of 5,000 to over 25,000 feet, and are able 
to watch the same target for may hours. You better have a proper escape planned ahead of time... 


15.) Using underground shelters because the missiles fired by these planes are usually of 
the fragmented anti-personnel and not anti-buildings type. 


True, but there are several different models of the AGM-—114 Hellfire missile designed for all 
different kinds of targets. The 500 pound GBU-12 Paveways which Predators/Reapers can also 
carry can usually penetrate most underground or hardened shelters. 


16.) To avoid gathering in open areas and in urgent cases, use building of multiple doors or 
exits. 


True, it's probably best to use the general population (and their travels) for your own cover. 
17.) Forming anti-spies groups to look for spies and agents. 


True, keep an eye out for any person(s) with a last name containing Cohen, Rosen, Berg, Stein, 
Stern, Katz, Levy, Baum, Fried, Gold, Silver, Leib, Frank, Witz, etc. 


18.) Formation of fake gatherings such as using dolls and statutes to be placed outside 
false ditches to mislead the enemy. 


This is unlikey to fool modern electro—optical sensors, maybe only for a short period of time. It 
would be funny to see a blow-up doll with a hair dryer stuck in it... 


19.) When discovering that a drone is after a car, leave the car immediately and everyone 
should go in different direction because the planes are unable to get after everyone. 


True, but detecting the drone in the first place is where the real challenge is. Be sure to use a 
"GBPPR Battlefield Laser Warning Receiver" as covered in GBPPR ‘Zine, |ssue #109. 


18 


20.) Using natural barricades like forests and caves when there is an urgent need for 
training or gathering. 


Should work, but finding the proper natural barriers quickly may by diffcult and they may even be 
under surveillance before you reach them. Others will be looking for these natural barriers, too... 


21.) In frequently targeted areas, use smoke as cover by burning tires. 


Smoke screens can block most electro—optical sensors for a short period of time, but in reality, 
burning tires will just cause your eyes to sting and you won't be able to breathe! A proper smoke 
screen should be deployed upon detection of an enemy laser designator, though. 


22.) As for the leaders or those sought after, they should not use communications 
equipment because the enemy usually keeps a voice tag through which they can identify the 
speaking person and then locate him. 


True, almost all voice radio or telecommunication traffic is trivial to intercept and record for future 
processing. Text-to—speech systems could be used to mask any voice communication, if needed. 





19 


GBPPR 800 MHz Cellular Phone Jammer 


This is a RF jammer designed for the U.S. 800 MHz cellular phone band (870-895 MHz). It works 
by generating an overpowering sweeping RF carrier on the cellular handset's receive frequency 
range. 


Overview 


An Exar XR2206 Multifunction Generator will be used as the triangle wave generator for providing 
the sweep portion of the jammer circuit. The sweep generator will control a Z—-Communications 
V580MC04 Voltage Controlled Oscillator (VCO) to sweep between approximately 850-895 MHz at 
a rate of around 100 kHz. 


The VCO is arguably the most important component in a cellular phone jamming system. It's a little 
four-terminal device (V,,, RF Output, Voltage Tune, and Ground) which generates the required 
low-level RF output signal with a minimal amount of fuss. Unfortunately, VCOs covering the proper 
frequency range you need can be difficult to find. Companies such as Mini—Circuits and 
Z—Communications are very helpful to amateur electronics enthusiasts, and will sell their VCO 
models in single quantities directly or point you to a local distributor. 


The VCO you choose should cover the frequency range of the cellular base station's downlink 
frequencies (tower transmit) you wish to jam. You always try to jam the receiver, so in this case, 
you'd jam the mobile station's (handset) receive frequencies — which are the cellular tower's 
transmit frequencies. These frequencies will vary around the world, but the overall concept will 
remain the same. 


Two 5 kohm multiturn potentiometers are required to provide a proper DC offset for the VCO's 
voltage tune line. What this does is give the sweeping triangle wave a positive DC voltage offset to 
help "center" the sweeping triangle wave within the required jamming frequency range. The 
amplitude of the triangle wave corresponds directly to the frequency width of the jamming 

range. Here's an example using a generic VCO: 


Voltage Tune (+ Volts DC) Frequency Output (MHz 
790 
810 
830 
850 
870 
890 
910 


DoF WNEF CO 


In our above example, a particular VCO is capable of tuning between 790-910 MHz with a voltage 

tune from 0 to +6 VDC. This works out to about 20 MHz of tuning per volt. So, if a person wanted 

to "jam" the frequencies between 870-890 MHz, they would need a +1 volt peak-to-peak triangle 

wave with a DC offset of +4 volts. This would result in voltage signal sweeping between +4 and +5 
VDC (referenced from ground), and would sweep the VCO's RF output between 870-890 MHz. Of 
course, in real life, the voltage—to—frequency mappings are not this precise. 


Another important section of the RF jammer chain is the final RF power amplifier. This is a device 
which takes a small RF input signal, say at +10 dBm (10 milliwatts), and amplifies it up to around 
+36 dBm (4 watts) or more. The cheapest source of these amplifiers is from old analog cellular 
phones themselves. Some older cellular phones (Motorola, Nokia, Uniden, etc.) will use a 
broadband RF power "hybrid" module which helps make their construction easier and smaller. 


20 


These RF module devices tend to be very wideband frequency wise, and will easily amplify RF 
signals outside of their intended range. Increasing the module's RF power control bias (V.,,) Or Vag 
voltage can also milk a little more gain out of them, but will also negatively effect the lifetime of the 
power module. The RF power module wi// need to be connected to a large, smooth heatsink and 
may also require a cooling fan on higher power amplifiers. 


For this project, we'll be using a Hitachi PFO030 820-850 MHz RF power amplifier module salvaged 
from an old CT-1055 Radio Shack/Nokia cellular phone. These particular modules will work to over 
900 MHz with only a slight decrease in gain at those higher frequencies. Running the Vg voltage at 
+15 to +17 VDC will also slightly increases the available RF power output. I've gotten them to hit 
10+ watts output when properly layed out and constructed with a large heatsink, but it's usually not 
worth the risk. Try to keep the maximum RF output power around 4 to 6 watts. 


Most broadband RF power hybrid modules rarely need more than +13 dBm (20 mW) of RF input to 
work properly. This is perfect for being driven directly from the VCO's RF output without the need 
for an additional RF pre—amplification stage. Increasing the RF input power will only shorten the 
lifetime of the power module and will have a minimal impact on output gain. 


The most important part of any radio system is the antenna. Spend a good chunk of your money on 
the antenna system (and coaxial cable), and you'll have no problems. Use a coathanger and some 
alligator clips and you'll be emailing me 50 times a day saying it doesn't work. 


Thankfully, you can also salvage a usable antenna from (some) old analog cellular phones. Those 
magnetic or trunk mount antennas work the best. Glass—mount antennas or anything "stick—on" are 
basically crap. Directional gain (Yagi) antennas can be used to increase the jammer's performance, 
but only in the direction the antenna is pointed. High-—gain, omni-directional antennas are ideal for 
most RF jamming applications. For homebrew designs, you can scale down (or up) 900 MHz band 
amateur radio band antennas. 


Below is the voltage—to—frequency mapping of Z-Comm V580MC04 VCO. The RF output power 
was around +8 dBm over the entire frequency range. 


Voltage Tune (+ Volts DC) Frequency Output (MHz 


00 771 

15 825 800 MHz Cell Phone Handset TX / SMR Repeater Input 
25 832 800 MHz Cell Phone Handset TX 

.50 847 800 MHz Cell Phone Handset TX 

.75 861 800 MHz Nextel / SMR Repeater Output 
.00 874 800 MHz Cell Phone Handset RX 

.25 885 800 MHz Cell Phone Handset RX 

.50 897 800 MHz Cell Phone Handset RX 

275 907 Part 15 / Amateur Radio 

.00 918 Part 15 / Amateur Radio 

£25 928 Part 15 / Amateur Radio / Pagers / GSM 
.50 938 Pagers / 900 MHz Trunked Systems / GSM 
75 948 900 MHz Trunked Systems / GSM 

.00 957 STL Links / GSM 

225 967 

50 976 

ey ii) 986 

00 995 

2D 1004 

-50 1014 

LD 1023 

Focal 1030 





PPR RP RBWBWWWNNNNEFPRPRPRPOTWOO OC 


21 


Pictures & Construction Notes 


e 


! 


i 


i 


- 


| 


EJ 
i 


way 
(z 
{ 





Overview of a old Radio Shack CT—1055 (Cat No. 17—1007A) 800 MHz band analog cellular phone. 


The Hitachi PFO030 RF power amplifier module from this phone will be salvaged for use as the RF 
power amplifier in the jammer. 


You can often find these cellular phones at hamradio swapfests or you can find the individual 
PFO030 modules on eBay for under $10. 


22 





Closeup view of the Hitachi PFO0030 RF power amplifier installed in the stock Radio Shack cellular 
phone. 


Note how it is mounted on its own little aluminum heatsink block. This should also be salvaged and 
used in the jammer. 


There should be a very thin smear of heatsink grease on the back flange of the PF0030. The 
PFO030 should then be attached to the heatsink via two screws. Be sure not to overtighten the 
screws or the PF0030's flange will flex, cracking the delicate internal circuit board. 


The PF0030's flange should share a common ground with the rest of the system. 


23 





Installing the PFO030 RF power module in the case for the cellular phone jammer. 


The +10 VDC voltage regulator board is mounted just behind the input banana jacks. 


The regulator board is a little overengineered, but the extra filtering and protection is required if you 
are using the +12 VDC power from a vehicle. Those tend to be electrically noisy. 


The circuit for the PF0030 is taken basically from the datasheet. An optional SWR protection circuit 
was added using an Anaren directional coupler to monitor the reflected power. In a high SWR 
condition, the voltage to the PF0030's V,,,, line is shunted to ground, effectively lowering the RF 
output of the PFO030. 

The ferrite bead on the PF0030's V4, line should be capable of handling 3 amps continuous. 


Proper RF engineering PC board layout and construction techniques should be used on the circuit 
board for the RF amplifier and VCO. 


The PF0030's V4, line can be connected to +10 VDC if you don't require the full RF output or if you 
need reduce the overall current draw. 


24 


- 7 ne | 
- 7 7 « 
if al 
; : > Fae 
‘ ead. 
. ~* > 
F ~ aoa c§ 
= : 
hb : ; 
4 = 
i : 
> i 
Wey entre 
: aps" 
A ea. i. 


hte hy fehks a. 
PURE 
% y tes ve 





Naa aseae A b URNS “hee 
i” SS Slide TERE: sgl cE SESS PD 
wha Toten ws 3 as “ke 2 ¥, 

Sub 


Overview of the sweep generator and VCO circuit board. 


The Exar XR2206 is configured to produce a triangle wave at around 100 kHz. 


The blue multiturn potentiometer controls the Sweep Amplitude of the triangle wave. This 
amplitude corresponds to the jammer's frequency sweep (start/stop) range. 


The two black multiturn potentiometers control the Band A and Band B DC offsets on the VCO for 
determining the "start" frequency of the jammer. 


The Z-Comm V580MC04 VCO is the silver box on the left. It has its own 78L05 voltage regulator. 


25 


Z-COMM * f 
V580MC04 
0002 3700 


a 
a 
mt 
ies 
i=) 


ai i 
\ 





Alternate view of the sweep generator and VCO circuit board. 


The timing resistor and capacitor for the XR2206 should be of high quality and tolerance. A 1% 
tolerance 10k resistor and 5% tolerance 1000 pF capacitor are shown here. 


The peak-to-peak voltage of the triangle wave should be around 0.894 volts. 


The DC offset for Band A (850 — 895 MHz) should be 1.02 volts. Measured at the wiper terminal of 
the Band A multiturn potentiometer. 


The DC offset for Band B (810 — 865 MHz) should be 0.396 volts. Measured at the wiper terminal 
of the Band B multiturn potentiometer. 


These voltages were for my own jammer. Yours may need to be tweaked a little bit because of 


component tolerances. | increased the jamming frequency range on Band A a bit to cover the 800 
MHz Specialized Mobile Radio (SMR), Nextel, and public safety frequencies. 


26 


SPAN 10 MHz 
0 dB ATTEN 1 





HP8569B spectrum analyzer view of the GBPPR 800 MHz Cellular Phone Jammer in operation with 
Band A selected. 


The display is 10 MHz per horizontal division and 10 dB per vertical division. 

The center frequency is 880 MHz. 

The jamming frequency range is approximately 850 MHz to 895 MHz. 

Because the jamming power is spread over such a large bandwidth — 45 MHz in this case — the 


jammer's effective range won't be as great as if were all centered on a single frequency. This is 
normal and should be taken into account in tactical jamming applications. 


27 








Another HP8569B spectrum analyzer view of the GBPPR 800 MHz Cellular Phone Jammer in 
operation with Band A selected. 


The display is 100 MHz per horizontal division and 10 GB per vertical division. 
The center frequency is 850 MHz. 


Displayed range is 400 MHz to 1800 MHz. There were major spurs or oscillations detected in the 
completed jammer. 


28 


Tm [os 


ie Rye 


i 


Fh 


i eet) 





Internal overview of a completed GBPPR 800 MHz Cellular Phone Jammer. 
The RF Power Control potentiometer is on the lower-left, connected via the orange wires. 


The RF output from the VCO is connected to the PFO030 RF power module circuit board using a 
short SMA jumper. 


A panel-mounted TNC connector is used for the final RF Output / Antenna connection. 


Ideally, the RF output jack and the VCO shouldn't be so physically close together. 


29 





O€003d 


Alternate view. 


The Anaren directional coupler is on the RF output of the PF0030 for an optional SWR protection 
circuit. 


The 50 ohm termination resistor for the directional coupler should be 1 watt and of RF quality (i.e. 


surface mount). | didn't have any of those available, so | used two 100 ohm / 1 watt SMT resistors 
in parallel. 


30 


900 MHz Cell Phone Jammer 


ower 
Control 





Overview of the finished GBPPR 800 MHz Cellular Phone Jammer. 
An example antenna is also shown. 


The RF Power Control potentiometer is on the left. Fully counter—clockwise is minimum (or no) RF 
output, and rotating the control clockwise gradually increases the RF output. 


The RF Output / Antenna panel—mount TNC connector is in the middle. 
The +12 VDC power input is via the banana jacks on the right. 

The red switch is for main DC power. 

The yellow switch is for Band Select. 


The RF power output at +12 VDC is: 


Current Draw RF_ Output _ (dBm) RF Output (Watts) 
O.5 A +31.7 1.48 
1.0 A +36.8 4.79 
1.5 A +38.5 7.08 
2.0 A +39.0 7.94 





31 






4N0zZZ LOVSNIL VWZZZ9N1L 


yndino 
SGA OL+ 





esn4  peeg ejiwe4 

XE NAZOE6ZOIN WS  jyueung-ybIH 
JOQ191IN PPA 
0€004d 


JoyeinBay ebeyo, OA Ol+ 


JOULE auoud 4e/N[19D ZHIN 008 Hdd 


32 


9027HX 4eXx3 
Joyejauasd daams 





33 


% | 


pesg ee [=] 
| OX OL 


ZHW S98-018 :g pueg 
ZHW S68-08 :v pueg rl ) = 


%G 
4d o0dt 







it OALV 
VODINO8SSA 
WILIOD-Z ms 


(leyiduy of) 

+ BD 
OQ TI 
a2 

: OAS 

~ 12SHO 

@ pueg 

OAS 

12SHO 

Vv pueg 


ODA 8 Joyeseuay dsams 


JOUILUEP QUOYd, 4e&/N//9D ZHI 008 HdddD 


34 






Mb/k junoyy-jaueg 
%l u0s 





pieog 
Joyejnbay 
woj4 








peeg aye 0 8'L 
jUauUND-ybI_ 
4d 001 || — 
U4 O00! || 
LLZSNL 40 (ODA wo14) 
BY Locdaw = 
= 
se = woos = 
= 5 pisses Eo ) = 
= > mm) OE Ge) z 
Ys d0lL-vV00609X - 
S usIeuy Jojyenually gp Ee 
z UONIAIOld HMS | 
JayiJAuiy JeMOd 4Y 0€00dd 
peeg eywe4 [—] IYDeWH 
SUI|CUISOJOIW TOS Fee JaipI|GUUY JeMOd 4Y 





doulilep 9uUOUd 4e/N[/9D ZHIN 008 HdddD 





35 


End of Issue #110 








Any 
Editorial and Rants 


Remember when we could give speeches without ‘pre-approval?’ Where are all 
those so-called ‘freedom of speech' advocates now? Change! 


School Cut Off Valedictorian's Microphone During Speech 
June 7, 2013 — From: myfoxdfw.com 
by Brandon Todd 


A North Texas high school silenced its Valedictorian's microphone during his speech, prompting 
questions over his free speech rights. 


Students attending the Joshua High School graduation say Remington Reimer's microphone 
was cut off, right when he began to talk about the Constitution. 


"He just said, he was talking about getting constitutional rights getting taken away from 
him," Colin Radford, a Joshua H.S. graduate, said. "And then he said, just yesterday they 
threatened to turn my microphone off, and then his microphone went off." 


Reimer, who was accepted into the Naval Academy, had his speech pre-approved by the school 
district. 


Joshua Independent School District issued a statement: 

"Student speakers were told that if their soeeches deviated from the prior-reviewed material, the 
microphone would be turned off, regardless of content. When one student's speech deviated from 
the prior-reviewed speech, the microphone was turned off, pursuant to District policy and 
procedure." 

Many attendees initially asked if the microphone was turned off because Reimer mentioned 

religion. But since the ceremony opened and closed with a prayer, and Reimer's speech mentioned 
God and Jesus throughout, graduate Zachery Hull believes it had nothing to do with religion. 


"Freedom of speech," Hull said. "He said what he was going to say, they did what they had to do. 
Everyone was right." 


Reimer's mother told FOX 4 off camera that she, her family and her son had no comment. 


36 


I think it’s im portant to 
understand that you 
can’t have 100 percent 
security and then have 
100 percent privacy renal 
zero Inconvenience. 
We’re going to have to 
make some choices as a 
society. 

-Barack Obama 


Any society that 
would give up a 
hittle liberty to gain 
a little security will 
deserve neither and 
lose both. 


-Benjamin Franklin 


i 
T0 US 





37 


A 3% tax on tea eventually 
led to the American revolution. 
Now you pay up to 70% of your 

earnings to a De Facto corporate 
government. You are groped at 
the airport, surveilled on the 
street, spied upon in your own 
home, fed propaganda by the 
media, lied to by your 
representatives, have your 
rights eroded, your currency 
devalued and are on the verge 
of an overt police state. 
WTF happened to home of the 
brave, land of the free? 





38 





"It is getting to the point where the mark of international distinction and 
service to humanity is no longer the Nobel Peace Prize, but an espionage 


indictment from the U.S. Department of Justice." 
—-— June 22, 2013 quote from Julian Assange. 


(wikileaks.org/Statement—by—Julian—Assange—after,249.html) 


39 


How the Media Lies to You 


The Fake EIZBOAH XPYEAYTITON ETO MANAPKAAIKO NOZOKOMEIO 


Greek mass media outlets such as Alpha TVand the 
Editor's Newspaper used this badly photoshopped 
picture as supposed "proof" for their false allegations 
that members of the Greek nationalist party Golden 
Dawn violently invaded the Panarcadian Hospital in 
Tripoli. 


The Real Photo 


Golden Dawn members protecting a peaceful demonstration 
from violent anarchists, who in Greece are notorious for 
killing civilians by bombing places such as shopping malls 
and subway cars. 


Photo taken on Crete, more than 400km southeast of the 
hospital in question. 


What actually happened 


Representatives of Golden Dawn visit the 
Panarcadian Hospital and have a civilized discussion 
with the hospital's manager, Helen Siourouni (left), in 
which she agrees that the employment of illegal 
immigrants within the hospital is a big problem and 
unfair to the Greek taxpayer. 

She was later removed from her position as manager, 
because she allegedly "allowed armed thugs to walk 
around the hospital”. 





40 


